Lookout, a San Francisco-based security firm, released new security research this week that found adware targeting Android that is both dangerous in its approach and widespread.
Michael Bentley, Lookout's head of research and response, wrote in a Nov. 4 blog: "Adware, which has traditionally been used to aggressively push ads, is now becoming trojanized and sophisticated. This is a new trend for adware and an alarming one at that."
This trojanized adware was evidently downloaded from third-party app stores, rather than Google Play, the official Google app store for Android. This means there was a different vector of infection than the XGhostCode malware which snuck by Apple's App Store.
Bentley also noted in his blog:
Lookout has detected over 20,000 samples of this type of trojanized adware masquerading as legitimate top applications, including Candy Crush, Facebook, GoogleNow, NYTimes, Okta, Snapchat, Twitter, WhatsApp, and many others. […] Indeed, we believe many of these apps are actually fully-functional, providing their usual services, in addition to the malicious code that roots the device.
Rooting the device in this case means that there is no way to simply uninstall the malware. It is disguised as a system app.
The Lookout research suggests that the only way a user can regain a normal device is by seeking out professional help or purchasing a new smartphone -- an expensive proposition. A factory reset won't do it. Whoever sold the phone may be able to convince the manufacturer to do an operating system reflash, which may solve the problem.
This is a new kind of adware, one that works in the background instead of being noisy, obnoxious, and clearly right in your face. Through the root access it gains, this adware allows other applications to do whatever it wants them to do inside Android. For example, the Adware can install other apps on its own.
Lookout has identified three distinct, but interconnected strains of this kind of trojanized adware: Shuanet, Kemoge (ShiftyBug), and Shedun (GhostPush). These three strains have been found in the several different countries, with the greatest number of detections found in the US, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico, and Indonesia.
Lookout examined all three strains and found 71% to 82% code similarity. They also used some of the same exploits to do rooting, including Memexploit, Framaroot, and ExynosAbuse. However, the researchers don't think that they have been created by the same author or group, but said they can assume they may be associated in some capacity.
It seems that, given the prevalence of this malware, only apps downloaded directly from the Google Play store can be trusted. Following this security measure has long been advocated by many, but often ignored. In light of this new research, those who use an Android device must suspect that all third-party hosted apps may be compromised.